This is the third part in our Future of MIM blog series, examining moving from MIM to the cloud.
Part 1 of this blog series discussed Microsoft Identity Manager (MIM) and how it provides automated account provisioning, entitlement management, and enables hybrid identity management with Azure. In Part 2 we talk about moving to modern identity, including how Azure can provide secure services and applications based on modern security protocols. This allows for centralized authentication and authorization is only synchronized between the application and Azure.
Here in Part 3, we will discuss governance as it relates to identity. Then we will narrow our focus to a subset of governance where Azure AD’s rapid and on-going evolution impacts MIM users’ decisions to implement more comprehensive governance and identity security.
What is Identity Governance?
An effective Identity Governance strategy should enable an organization to answer these key questions:
- Which users should have access to which resources?
- What are those users doing with that access?
- Are there effective organizational controls for managing access?
- Can auditors verify that the controls are working?
Operational efficiency is key here, whether it’s ensuring those controls don’t get in the way of users, as well as driving costs out of the audit process.
We are going to narrow down the breadth of identity governance to the following areas where Azure AD has made huge strides that affect your planning around identity governance in general, and MIM specifically:
- Identity Lifecyle Management
- Dynamic Groups
- Access Reviews
- Entitlement Management
- External Identities
Identity lifecycle management
Azure AD currently includes these ILM capabilities:
- The use of the HR-driven provisioning (Workday, SuccessFactors) to provision Azure and on-premises AD Accounts
- Automated application provisioning for pre-integrated applications (gallery SaaS apps) to create and manage accounts and roles inside those applications (ServiceNow, Drop Box) and to applications that support SCIM 2.0
- Azure AD on-premises application provisioning so organizations can provision to supported SQL Databases and LDAP Directories
There remain use cases where MIM may need to be retained in conjunction with Azure AD, but these are rapidly declining as the heavy lifting for identity management is rapidly being shifted to the cloud.
Dynamic Groups fall under governance because it is part of your Identity Access Lifecycle, ensuring that people get access to what they need and are removed when they move or leave. Verifying controls around ILM is a key part of most audits and therefore is a key part of governance solutions.
In most of our engagements, dynamic groups are central to our client’s solutions. Azure AD Dynamic Groups are fine for cloud-centric clients, but if there are still on-premises dynamic groups there may be an argument to retain MIM.
MIM can prepare your identity structure and on-premises AD accounts to synchronize to Azure AD via Azure AD Connect. It can also provide the values for attributes synchronized to Azure AD and so that dynamic groups can utilize the synced attributes to populate memberships (i.e., Licensing Groups, Access to SaaS Apps, Azure Role assignments).
The complexity of governance of Dynamic Groups is such that Oxford Computer Group only makes recommendations after analyzing customer business requirements. There’s a variety of solutions, including retaining MIM, using a SCIM connector, or third-party ISV solutions. We suspect that we’ll see more from Microsoft in the future.
Azure AD has rapidly evolving capabilities when it comes to access reviews, and when used in conjunction with Azure Audit Logs it provides the data needed for successful audits. This is an area of rapid evolution for Microsoft, and we expect that to see changes in the near (6 months) and long-term future.
If needed, MIM can control the creation and management of on-premises AD groups and can synchronize them to Azure AD. Now, we can create access reviews to make sure the right people have continued access in memberships of these on-premises groups.
On-premises, synchronized Azure AD accounts can take advantage of users requesting additional access to Azure Resources (Licensing Groups, SaaS Apps, Azure Role assignments). Entitlement Management manages the identity and access lifecycle by automating access request workflows, access assignments, reviews, and expiration.
Companies have used MIM in the past to manage business partners and created on-premises accounts for them to access resources. This process did not have a source of truth and these external users could exist indefinitely in your on-premises system. Azure AD Identity Governance allows companies to manage external identities with the following controls:
- Onboard external users with an approval process and manage their lifecycle through access packages. When the package expires, the users will be removed from Azure.
- Create Access Reviews to disable or delete external identities no longer needed.
- Find external identities created manually and not invited through an Entitlement Management process.
Privileged Identity Management
Azure AD Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Azure AD PIM is only available for Azure resources.
- Azure PIM can manage on-premises Privileged Groups with custom write-back scripts, and this could be a solution if you do not want to invest in the MIM PAM solution. I would keep watching this space as Microsoft releases more built-in Azure processes for managing on-premises groups.
- We can also utilize Azure PIM to manage tasks for guests such as assigning access to specific Azure resources, specifying assignment duration and end date, or requiring two-step verification on active assignment or activation. This can replace MIM’s on-premises account solution supporting external users.
MIM has its own Privileged Access Management (MIM PAM) for on-premises AD only, but this solution is no longer recommended by Oxford Computer Group. MIM PAM was designed only for isolated environments, making it incompatible with modern application and zero trust frameworks.
This blog discussed situations where MIM could be used to augment certain Azure AD Identity Governance tools, but we also can see that Azure AD does have some limited options to replace MIM in certain circumstances. As of yet there is not a complete solution for moving off MIM, but we have learned that there are more tools available in Azure AD to help maintain and secure our identities. Our upcoming blogs will explore third-party ISV solutions that can help meet your Identity Governance requirements.
Want to learn more about moving from MIM to the cloud? Check out the recording of our Q&A webinar here.